CN108075894A - A kind of authentication on-line processing method and system - Google Patents
A kind of authentication on-line processing method and system Download PDFInfo
- Publication number
- CN108075894A CN108075894A CN201611024516.5A CN201611024516A CN108075894A CN 108075894 A CN108075894 A CN 108075894A CN 201611024516 A CN201611024516 A CN 201611024516A CN 108075894 A CN108075894 A CN 108075894A
- Authority
- CN
- China
- Prior art keywords
- smart machine
- identity
- authentication
- card reader
- copy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biodiversity & Conservation Biology (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
A kind of authentication on-line processing method and system, the described method includes:S1 1 provides a smart machine, connects a card reader by the smart machine, the identity information of ID card memory storage is read using card reader;S1 2, smart machine match the identity information read in S1 1 with pre-stored identity copy;S1 3, smart machine ask identity copy to a certificate server;S1 4 generates the first authentication information source based on the identity information read in S1 1;S1 5 receives the authentication code of input, and the second authentication information source is generated based on the identity information read in S1 1 and the authentication code;Step S1 6, the biological information of collection in worksite authenticatee;S1 7, based on the first authentication information source in S1 3, the biological information in the second authentication information source and S1 6 in S1 5 compared with pre-stored ID card information to carrying out authentication.The present invention provides a kind of new authentication processing methods.
Description
Technical field
The present invention relates to mutual identity identifying technology, more particularly to the body of a kind of identity-based information and bio-identification
Part certification on-line processing method and system.
Background technology
With the development of Chinese society, either government affairs, finance waits the business demand amount for the veritification for needing identity increasingly
Greatly, and the standard of veritification and privacy of user safety are also higher and higher, but the veritification demand of high degree of safety still needs user
Identity is veritified to the scene of handling, this not only wastes the substantial amounts of time energy of people, great inconvenience is brought to user.So mesh
The combination of preceding China second-generation identity card and networking products verifies that the form of user information occurs, and greatly facilitates citizen and handles phase
Pass business, and drastically increase the efficiency of business handling.But it is carried out since considerable part user steals other people identity cards
Identity real name is registered, and generates the security breaches of real name information.And high business can not meet at all to identity veritification demand
Demand.In increasingly mature current of Internet technology, under the policy responses of " internet+government affairs ", user's system of real name demand day
Tend to become strong strong, it is necessary to and it is possible that develop the identity authorization system of a set of high degree of safety based on Internet technology.
The content of the invention
In view of the shortcomings of the prior art, the present invention proposes a kind of authentication on-line processing method, including:
S1-1 provides a smart machine, connects a card reader by the smart machine, is read using card reader in ID card
The identity information of storage;
S1-2, smart machine match the identity information read in S1-1 with pre-stored identity copy,
If matching is unsuccessful, identity copy download is carried out into S1-3, if successful match, work is proceeded by into S1-4
Experience card;
S1-3, smart machine ask identity copy to a certificate server, pass through rear setting authentication code and the identity pair
Originally it is bundled on certificate server;
S1-4 generates the first authentication information source based on the identity information read in S1-1;
S1-5 receives the authentication code of input, based on the identity information read in S1-1 and authentication code generation the
Two authentication information sources;
Step S1-6, the biological information of collection in worksite authenticatee;
S1-7, based in the first authentication information source in S1-3, the second authentication information source and S1-6 in S1-5
Biological information is compared with pre-stored ID card information to carrying out authentication.
The present invention also proposes a kind of authentication Online Processing System, including:Smart machine, card reader, service server
And certificate server, wherein,
The smart machine connects card reader, and the identity information of ID card memory storage is read using card reader;
Smart machine matches the identity information of reading with pre-stored identity copy, if matching not into
Work(then carries out identity copy download, if successful match, proceeds by live body verification;
Smart machine asks identity copy to certificate server, is bundled in by rear setting authentication code with the identity copy
On certificate server;
The identity information of the smart machine based on reading generates the first authentication information source;
Smart machine receives the authentication code of input, and the identity information and authentication code generation second based on reading are recognized
Demonstrate,prove information source;
The biological information of smart machine collection in worksite authenticatee;
The first authentication information source, the second authentication information source and biological information are sent to business service by smart machine
Device, to carrying out authentication compared with pre-stored ID card information.
Beneficial effects of the present invention include:
1st, it is efficient and convenient, realize the authentication work(of " real name+real example+reality people " that remotely carries out high standard whenever and wherever possible
Energy.
2nd, high security, in verification process, authentication information passes through hash algorithm encryption, ensures the privacy letter of user
Breath will not leak.
2nd, certification mode provided by the invention is with the addition of the certification source of portrait and identity card, ensures that certification user's is unique
Property, realizing prevents certification user from acting as fraudulent substitute for a person certification.
3rd, the system has provided a user the certification mode of a variety of different safety class, including:
Real-name authentication mode, it is authenticated identity card and name;
Real name+reality people's authentication mode, it is authenticated user identity card number and name and user's portrait;
Real example+reality people's authentication mode, it verifies identity card and user's portrait;
Real name+real example+reality people's authentication mode.
4th, third party can access the system to carry out different authentication modes according to business demand.
Description of the drawings
Fig. 1 is the flow chart of one embodiment of the authentication on-line processing method of the present invention.
Fig. 2 is the flow chart of another embodiment of the authentication on-line processing method of the present invention.
Fig. 3 is the flow chart of another embodiment of the authentication on-line processing method of the present invention.
Fig. 4 is the flow chart of another embodiment of the authentication on-line processing method of the present invention.
Fig. 5 is the flow chart of another embodiment of the authentication on-line processing method of the present invention.
Fig. 6 is the flow chart of another embodiment of the authentication on-line processing method of the present invention.
Specific embodiment
Embodiments of the present invention are described with reference to the accompanying drawings, wherein identical component is presented with like reference characters.
First embodiment
Fig. 1 shows the flow chart of an embodiment of the authentication on-line processing method of the present invention.
In step S1-1, a smart machine is provided, a card reader is connected by the smart machine, body is read using card reader
The identity information of part card memory storage.
Wherein, the ID card can be China second-generation identity card, company personnel's card, student card etc..The card reader can be read
Take the electronic equipment of the ID card.The smart machine is mobile phone, tablet computer, server etc..
Preferably, (for example with hash algorithm) is encrypted as verification data in the identity information read in S1-1.
Step S1-2, smart machine by the identity information read in step S1-1 and pre-stored identity copy into
Row matching.If matching is unsuccessful, S1-3 is entered step to carry out identity copy download.If successful match, into step
Rapid S1-4 proceeds by live body verification.Wherein, the identity copy includes the identity information.
Step S1-3, smart machine ask identity copy to certificate server, pass through rear setting authentication code and the identity
Copy is bundled on certificate server.The detailed process that identity copy is downloaded includes:
A1) smart machine construction identity copy request, sending the identity copy to certificate server (authority is credible) please
It asks.The private key signature of the identity copy request with smart machine.
A2) certificate server certification is by rear, return identity copy response.The identity copy response has authentication service
The private key signature of device.Identity copy response, which contains, permits the card reader reading voucher of identity information and business processing data, business
Handling data includes random number and verification data (such as service numbers).
A3) smart machine extracts the verification data and random number from the identity copy response, based on the verification
Data and generating random number identity copy download request, are sent to the certificate server.The identity copy download request tool
There is the private key signature of smart machine.
A4) certificate server certification is by rear, return identity copy to smart machine.Further, user can be directed to and be somebody's turn to do
Identity copy sets authentication code, the authentication code and the one-to-one binding of identity copy, is stored on certificate server.
Step S1-4 generates the first authentication information source based on the identity information read in S1-1.Preferably, use
Hash algorithm encrypts the identity information to generate the first authentication information source.
Step S1-5 receives the authentication code number combinatorics on words of predetermined length (be, for example) of input, based on being read in S1-1
The identity information and the authentication code generate the second authentication information source.
Step S1-6, the biological information of collection in worksite authenticatee, the biological information can be portrait photo or voice
Deng.In In vivo detection technical process, by the way that user is guided to do corresponding action according to prompting, before detecting camera by modeling
People be it is conscious, being capable of activity and be three-dimensional face.Preferably, the biological information is encrypted.Specifically, institute
It states and gathers the process of the biological information and include:
B1 the prompting for the respective reaction that need to be done) is provided to authenticatee.The respective reaction can be:Left and right is made in prompting
It shakes the head, put head etc. up and down or read aloud one section of word or the ID card card number of oneself.
B2 the reaction information of authenticatee) is gathered as biological information.Preferably, to conduct after reaction information processing
Biological information, the processing for example can be:Face is only intercepted to the picture of shooting, to reduce data volume.
Step S1-7, based on the first authentication information source in S1-3, the second authentication information source in S1-5 and S1-6
In biological information be sent to certificate server, to carrying out authentication compared with pre-stored ID card information.
Second embodiment
Second embodiment adds smart machine in step S1-1 and card reader is carried out compared with first embodiment
The process of hardware identity verification, specially:
If smart machine is the First Contact Connections card reader, which is verified.
A kind of verification method is:By judging whether the identity information for reading ID card is stored, to determine whether being
The First Contact Connections card reader.
As shown in Fig. 2, another verification method can also be:
B1) verification instruction is sent to card reader.
B2) card reader returns to first verification data bag, and the first verification data includes:Card reader unique sequence numbers (example
Such as MAC Address), the first check value, first check value for a variable sequence number cryptographic Hash (MD5 algorithms may be employed)
Card reader private key signature.Preferably, the first verification data can also include:First supplement check value, first supplement
Check value is card reader unique sequence numbers and the card reader private key signature of the cryptographic Hash of the first check value.The variable sequence number can
Think what card reader generated at random.Preferably, the variable sequence number is the number that the card reader is verified.
B3 authentication) is carried out to the first verification data using the public key of card reader.
Preferably, card reader can also carry out authentication, following b4 to smart machine)-b6):
B4) if authentication is by the way that smart machine sends the second verification data to card reader, and described second tests in b3)
Card data include:Smart machine unique sequence numbers (such as MAC Address), the second check value, second check value are variable for one
The smart machine private key signature of the cryptographic Hash (MD5 algorithms may be employed) of sequence number.Preferably, the second verification data may be used also
To include:Second supplement check value, the second supplement check value is smart machine unique sequence numbers, the Hash of the second check value
The smart machine private key signature of value and a fixation secret key.The variable sequence number can be what smart machine generated at random.It is preferred that
Ground, the variable sequence number are the smart machine.
B5) card reader carries out authentication by the public key of smart machine to the second verification data.
B6) if the verification passes, then smart machine is allowed to connect card reader;If authentication failed, refuse to connect.
3rd embodiment
In a more preferable embodiment, a service server and a certificate server are set, specifically carry out business
Processing and authentication, as shown in Figure 3.
In step S3-1, a smart machine is provided, a card reader is connected by the smart machine, body is read using card reader
The identity information of part card memory storage.
Wherein, the ID card can be China second-generation identity card, company personnel's card, student card etc..The card reader can be read
Take the electronic equipment of the ID card.The smart machine is mobile phone, tablet computer, server etc..
Preferably, the identity information read in S3-1 is encrypted (for example with hash algorithm).
Preferably, if smart machine is the First Contact Connections card reader, which is verified, is specially:
C1) smart machine sends verification instruction to card reader.
C2) card reader returns to first verification data bag, and the first verification data includes:Card reader unique sequence numbers (example
Such as MAC Address), the first check value, first check value for a variable sequence number cryptographic Hash (MD5 algorithms may be employed)
Card reader private key signature.Preferably, the first verification data can also include:First supplement check value, first supplement
Check value is card reader unique sequence numbers and the card reader private key signature of the cryptographic Hash of the first check value.The variable sequence number can
Think what card reader generated at random.Preferably, the variable sequence number is the number that the card reader is verified.
C3) the first verification data bag is sent to service server by smart machine, and service server utilizes card reader
Public key to the first verification data carry out authentication.
Preferably, card reader can also carry out authentication, following c4 to service server)-c6):
C4) if authentication is by the way that service server sends the second verification number via smart machine to card reader in c3)
According to the second verification data include:Service server unique sequence numbers (such as MAC Address), the second check value, described second
Check value is the service server private key signature of the cryptographic Hash (MD5 algorithms may be employed) of a variable sequence number.Preferably, it is described
Second verification data can also include:Second supplement check value, the second supplement check value is service server unique sequence code
Number, the cryptographic Hash of the second check value and one fix secret key service server private key signature.The variable sequence number can be industry
Business server apparatus generates at random.Preferably, the variable sequence number is verified number for the service server.
C5) card reader carries out authentication by the public key of service server to the second verification data.
C6) if the verification passes, then smart machine is allowed to connect card reader;If authentication failed, refuse to connect the reading
Card device.
Step S3-2, smart machine by the identity information read in step S3-1 and pre-stored identity copy into
Row matching.If matching is unsuccessful, S3-3 is entered step to carry out identity copy download.If successful match, into step
Rapid S3-4 proceeds by live body verification.Wherein, the identity copy includes the identity information.
Step S3-3, smart machine ask identity copy to certificate server, pass through rear setting authentication code and the identity
Copy is bundled on certificate server.The detailed process that identity copy is downloaded includes:
D1) smart machine constructs the request of identity copy based on the identity information read in S3-1, to business service
Device sends the identity copy request.The private key signature of the identity copy request with smart machine.
D2) service server asks for an autograph to the identity copy, and is forwarded to certificate server (authority is credible).
D3) after certificate server processing, the response of identity copy is returned to service server.In the identity copy response bag
Include verification data and a random number.The identity copy response has the private key signature of certificate server.Copy response includes
Have and permit the card reader reading voucher of identity information and business processing data, business processing data include random number and service numbers.
D4) service server is forwarded to smart machine to identity copy response signature.
D5) smart machine extracts the verification data and random number from the identity copy response, generates identity copy
Download request is sent to the certificate server.The cryptographic Hash that identity copy download request includes ID card information generation is (main
Want authentication information source), service numbers, client number etc..
D6) service server asks for an autograph to the identity copy, and is forwarded to certificate server.
D7) after certificate server processing, identity copy is returned to service server.Identity copy can be by identity card surname
The cryptographic Hash of name and the identity cards data such as identification card number, validity date.
D8) service server is forwarded to smart machine to identity copy signature, so as to which smart machine obtains body
Part copy.
Further, user can be directed to the identity copy and set authentication code, and identity copy is one-to-one ties up with this for the authentication code
It is fixed, it is stored on certificate server.
Preferably, password is set during smart machine storage identity copy, in subsequent operation, only inputs correct password,
Smart machine could open the identity copy.
Referring again to Fig. 3, in step S3-4, smart machine generates first based on the identity information read in S3-1
Authentication information source.Preferably, the identity information is encrypted using hash algorithm to generate the first authentication information source.
Step S3-5, smart machine receives the authentication code (the number combinatorics on words of predetermined length) of input, based on being read in S3-1
The identity information taken and the authentication code generate the second authentication information source.
Step S3-6, the biological information of smart machine collection in worksite authenticatee, the biological information can be that portrait shines
Piece or voice etc..Preferably, the biological information is encrypted.Specifically, the process bag of the acquisition biological information
It includes:
E1 the prompting for the respective reaction that need to be done) is provided to authenticatee.The respective reaction can be:Left and right is made in prompting
It shakes the head, put head etc. up and down or read aloud one section of word or the ID card card number of oneself.
E2 the reaction information of authenticatee) is gathered as biological information.Preferably, to conduct after reaction information processing
Biological information, the processing for example can be:Face is only intercepted to the picture of shooting, to reduce data volume.Pass through recognition of face
Judge whether user has done the action nodded or shaken the head with tracer technique, while realize living body authentication.
Step S3-7, based on the first authentication information source in S3-3, the second authentication information source in S3-5 and S3-6
In biological information compared with pre-stored ID card information to carrying out authentication.It specifically includes:
F1) smart machine is by the first authentication information source in S3-3, the second authentication information source in S3-5 and S3-6
In biological information be sent to service server.
F2) Information Signature received is forwarded to certificate server by service server.
F3 verification result) is issued into service server after certificate server verification.
F4) result is forwarded to smart machine by service server, and verification result is parsed by smart machine.Specifically, it is based on
The biological information in the second authentication information source and S3-6 in the first authentication information source, S3-5 in S3-3 is with prestoring
ID card information compared to pair.
Fourth embodiment
The present embodiment is proposed on the basis of 3rd embodiment.
As shown in figure 4, smart machine B can realize authentication by smart machine A.
S4-1, smart machine B ask scrip (access_token) to smart machine A.Smart machine can pass through
The information such as sending device ID, random number, user's unique designation, and private key signature is asked scrip to smart machine A.
Advantageously, smart machine B can timing ask to refresh scrip to smart machine A, and cause it is old it is interim with
It is invalid to demonstrate,prove.
S4-2, smart machine A are generated effective voucher (cert_token) based on the identity of smart machine B and are sent to intelligence
It can equipment B.
S4-3, during access, smart machine B sends effective voucher to smart machine A, after smart machine A verifications are legal
Permit access.
S4-4, from smart machine A, on behalf of authentication is carried out to service server and certificate server, (process is real with the 3rd
It is identical to apply example, is no longer described in detail again), and verification result is back to smart machine B.
In yet another embodiment, smart machine B can be a Quick Response Code.As shown in Figure 5.
The Quick Response Code includes the effective voucher, the subscriber identity information that are as above obtained by step S4-1 to S4-2.It connects down
Come, smart machine A can judge whether the Quick Response Code authorizes by scanning the Quick Response Code.If authorized, allow to access industry
Business server and certificate server carry out authentication.
Further, authentication result can return to the affiliated third-party server of the Quick Response Code by effective voucher.
5th embodiment
The present embodiment is proposed on the basis of fourth embodiment.As shown in Figure 6.
1) smart machine B asks effective voucher (cert_token) to service server.Ask voucher originating party formula can be with class
Like fourth embodiment.
2) smart machine B generates Quick Response Code, which includes effective voucher, can also be including certification mode etc..
3) Quick Response Code described in smart machine A sweep obtains effective voucher.
4) smart machine A sends the Quick Response Code to certificate server, to verify whether the Quick Response Code is legal.
5) smart machine A according to certification mode collect associated authentication data (acquisition live body portrait photo/reading identity information/
Read current geographic position).
6) smart machine A submits the authentication data to service server.
7) legitimacy of service server verification two-dimension code credential, and certification is asked to certificate server.
8) service server stores authentication result related data to database.
9) certificate server is to smart machine B pushing certification results.
The present embodiment has conveniently realized face-to-face certification.
Sixth embodiment
The present invention also proposes a kind of authentication Online Processing System, as shown in Figure 6.
The processing system includes a smart machine and a card reader (not shown).The smart machine is connectable to institute
It states card reader and communicates with the card reader.Preferably, smart machine is mobile phone, and card reader is connected by mobile phone USB port
To the mobile phone to carry out taking electricity.But card reader is communicated by bluetooth approach with mobile phone.
The smart machine connects card reader, and the identity information of ID card memory storage is read using card reader.
Wherein, the ID card can be China second-generation identity card, company personnel's card, student card etc..The card reader can be read
Take the electronic equipment of the ID card.The smart machine is mobile phone, tablet computer, server etc..
Preferably, the identity information of reading is encrypted (for example with hash algorithm) smart machine.
Preferably, the processing system further includes a service server and a certificate server, specifically carries out at business
Reason and authentication.Service server and certificate server are desirably integrated into together.Service server can be with smart machine collection
Into to together.
Preferably, if smart machine is the First Contact Connections card reader, which is verified, is specially:
C1) smart machine sends verification instruction to card reader.
C2) card reader returns to first verification data bag, and the first verification data includes:Card reader unique sequence numbers (example
Such as MAC Address), the first check value, first check value for a variable sequence number cryptographic Hash (MD5 algorithms may be employed)
Card reader private key signature.Preferably, the first verification data can also include:First supplement check value, first supplement
Check value is card reader unique sequence numbers and the card reader private key signature of the cryptographic Hash of the first check value.The variable sequence number can
Think what card reader generated at random.Preferably, the variable sequence number is the number that the card reader is verified.
C3) the first verification data bag is sent to service server by smart machine, and service server utilizes card reader
Public key to the first verification data carry out authentication.
Preferably, card reader can also carry out authentication, following c4 to service server)-c6):
C4) if authentication is by the way that service server sends the second verification number via smart machine to card reader in c3)
According to the second verification data include:Service server unique sequence numbers (such as MAC Address), the second check value, described second
Check value is the service server private key signature of the cryptographic Hash (MD5 algorithms may be employed) of a variable sequence number.Preferably, it is described
Second verification data can also include:Second supplement check value, the second supplement check value is service server unique sequence code
Number, the cryptographic Hash of the second check value and one fix secret key service server private key signature.The variable sequence number can be industry
Business server apparatus generates at random.Preferably, the variable sequence number is verified number for the service server.
C5) card reader carries out authentication by the public key of service server to the second verification data.
C6) if the verification passes, then smart machine is allowed to connect card reader;If authentication failed, refuse to connect the reading
Card device.
Then, the identity information that smart machine is read is matched with pre-stored identity copy.If matching
It is unsuccessful, then carry out identity copy download.If successful match, live body verification is proceeded by.Wherein, the identity copy bag
Containing the identity information.
Smart machine asks identity copy to certificate server, is bundled in by rear setting authentication code with the identity copy
On certificate server.The detailed process that identity copy is downloaded includes:
D1) smart machine constructs the request of identity copy based on the identity information read from card reader, is taken to business
Business device sends the identity copy request.The private key signature of the identity copy request with smart machine.
D2) service server asks for an autograph to the identity copy, and is forwarded to certificate server.
D3) after certificate server processing, identity copy response bag is returned to service server.The identity copy response bag
In include a verification data and random number.The identity copy response has the private key signature of certificate server.Copy response bag
The voucher of identity information and business processing data are read containing card reader is permitted, business processing data include random number and business
Number.
D4) service server is forwarded to smart machine to the identity copy response packet signature.
D5) smart machine extracts the verification data and random number from the identity copy response bag, generates identity pair
This download request is sent to the certificate server.Identity copy download request includes the cryptographic Hash of ID card information generation
(primary authentication information source), service numbers, client number etc..
D6) service server asks for an autograph to the identity copy, and is forwarded to certificate server.
D7) after certificate server processing, identity copy is returned to service server.Identity copy can be by identity card surname
The cryptographic Hash of name and the identity cards data such as identification card number, validity date.
D8) service server is forwarded to smart machine to identity copy signature, so as to which smart machine obtains body
Part copy.
Below with regard to carrying out authentication, the acquisition of information is authenticated first.
Smart machine generates the first authentication information source based on the identity information read from card reader.Preferably,
The identity information is encrypted using hash algorithm to generate the first authentication information source.
Smart machine receives the authentication code (the number combinatorics on words of predetermined length) of input, based on the institute read from card reader
It states identity information and the authentication code generates the second authentication information source.
The biological information of smart machine collection in worksite authenticatee, the biological information can be portrait photo or voice
Deng.Preferably, the biological information is encrypted.Specifically, the process of the acquisition biological information includes:
E1 the prompting for the respective reaction that need to be done) is provided to authenticatee.The respective reaction can be:Left and right is made in prompting
It shakes the head, put head etc. up and down or read aloud one section of word or the ID card card number of oneself.
E2 the reaction information of authenticatee) is gathered as biological information.Preferably, to conduct after reaction information processing
Biological information, the processing for example can be:Face is only intercepted to the picture of shooting, to reduce data volume.
Then the information of acquisition is sent to service server and carries out authentication by smart machine, including:
F1) the first authentication information source, the second authentication information source and biological information are sent to business clothes by smart machine
Business device.
F2) Information Signature received is forwarded to certificate server by service server.
F3 verification result) is issued into service server after certificate server verification.
F4) result is forwarded to smart machine by service server, and verification result is parsed by smart machine.
Embodiment described above is the present invention more preferably specific embodiment, and those skilled in the art is at this
The usual variations and alternatives carried out in the range of inventive technique scheme should all include within the scope of the present invention.
Claims (10)
1. a kind of authentication on-line processing method, which is characterized in that including:
S1-1 provides a smart machine, and a card reader is connected by the smart machine, and ID card memory storage is read using card reader
Identity information;
S1-2, smart machine match the identity information read in S1-1 with pre-stored identity copy, if
It matches unsuccessful, then carries out identity copy download into S1-3, if successful match, proceed by live body into S1-4 and test
Card;
S1-3, smart machine ask identity copy to a certificate server, are tied up by rear setting authentication code with the identity copy
It is scheduled on certificate server;
S1-4 generates the first authentication information source based on the identity information read in S1-1;
S1-5 receives the authentication code of input, is recognized based on the identity information read in S1-1 and authentication code generation second
Demonstrate,prove information source;
Step S1-6, the biological information of collection in worksite authenticatee;
S1-7, based on the first authentication information source in S1-3, the biology in the second authentication information source and S1-6 in S1-5
Information is compared with pre-stored ID card information to carrying out authentication.
2. authentication on-line processing method according to claim 1, which is characterized in that in S1-1, if intelligence is set
Standby is the First Contact Connections card reader, then the card reader is verified, including:
B1) smart machine sends verification instruction to card reader;
B2) card reader returns to first verification data bag, and the first verification data includes:Card reader unique sequence numbers, the first school
Value is tested, first check value is the card reader private key signature of the cryptographic Hash of a variable sequence number;
B3 authentication) is carried out to the first verification data using the public key of card reader;
B4) if authentication is by the way that smart machine sends the second verification data, the second verification number to card reader in b3)
According to including:Smart machine unique sequence numbers, the second check value, second check value are the intelligence of the cryptographic Hash of a variable sequence number
It can device private signature;
B5) card reader carries out authentication by the public key of smart machine to the second verification data.
3. online identity authentication method according to claim 2, which is characterized in that
In b2) in, the first verification data further includes:First supplement check value, the first supplement check value is card reader
The card reader private key signature of the cryptographic Hash of unique sequence numbers and the first check value, the variable sequence number can be that card reader is random
Generation, the variable sequence number is the number that the card reader is verified;
In b4) in, the second verification data further include:Second supplement check value, the second supplement check value set for intelligence
Standby unique sequence numbers, the cryptographic Hash of the second check value and one fix the smart machine private key signature of secret key.
4. authentication on-line processing method according to claim 1, which is characterized in that in S1-3, ask identity pair
This step of, includes:
D1) smart machine constructs the request of identity copy based on the identity information read in S3-1, is sent out to service server
The identity copy is sent to ask;
D2) provide a service server to ask for an autograph to the identity copy, and be forwarded to certificate server;
D3) after certificate server processing, the response of identity copy is returned to service server, is included in the identity copy response bag
Verify data and a random number, it is preferable that the identity copy response bag, which contains, permits the voucher that card reader reads identity information
With business processing data, business processing data include random number and service numbers;
D4) service server is forwarded to smart machine to identity copy response signature;
D5) smart machine extracts the verification data and random number from the identity copy response, and generation identity copy is downloaded
Request, is sent to the certificate server;
D6) service server asks for an autograph to the identity copy, and is forwarded to certificate server;
D7) after certificate server processing, identity copy is returned to service server;
D8) service server is forwarded to smart machine to identity copy signature, so as to which smart machine obtains identity pair
This.
5. authentication on-line processing method according to claim 1, which is characterized in that further include:
S4-1, provides two smart machines, and smart machine B asks scrip to smart machine A;
S4-2, smart machine A are generated effective voucher based on the identity of smart machine B and are sent to smart machine B, it is preferable that
The identity of smart machine B is Quick Response Code, and the identity information of smart machine B is included in the Quick Response Code;
S4-3, during access, smart machine B sends effective voucher to smart machine A, permits after smart machine A verifications are legal
Access;
S4-4 carries out authentication according to the step of S1-2 to S1-7 from smart machine A on behalf of to certificate server.
6. a kind of authentication Online Processing System, which is characterized in that including:Smart machine, card reader, service server and recognize
Server is demonstrate,proved, wherein,
The smart machine connects card reader, and the identity information of ID card memory storage is read using card reader;
Smart machine matches the identity information of reading with pre-stored identity copy, if matching is unsuccessful,
Identity copy download is then carried out, if successful match, proceeds by live body verification;
Smart machine asks identity copy to certificate server, and certification is bundled in the identity copy by rear setting authentication code
On server;
The identity information of the smart machine based on reading generates the first authentication information source;
Smart machine receives the authentication code of input, and the identity information and the authentication code based on reading generate the second certification letter
Breath source;
The biological information of smart machine collection in worksite authenticatee;
The first authentication information source, the second authentication information source and biological information are sent to service server by smart machine, with
Pre-stored ID card information is compared to carrying out authentication.
7. authentication Online Processing System according to claim 6, which is characterized in that if smart machine is for the first time
The card reader is connected, then the card reader is verified, including:
B1) smart machine sends verification instruction to card reader;
B2) card reader returns to first verification data bag, and the first verification data includes:Card reader unique sequence numbers, the first school
Value is tested, first check value is the card reader private key signature of the cryptographic Hash of a variable sequence number;
B3 authentication) is carried out to the first verification data using the public key of card reader;
B4) if authentication is by the way that smart machine sends the second verification data, the second verification number to card reader in b3)
According to including:Smart machine unique sequence numbers, the second check value, second check value are the intelligence of the cryptographic Hash of a variable sequence number
It can device private signature;
B5) card reader carries out authentication by the public key of smart machine to the second verification data.
8. authentication Online Processing System according to claim 7, which is characterized in that
In b2) in, the first verification data further includes:First supplement check value, the first supplement check value is card reader
The card reader private key signature of the cryptographic Hash of unique sequence numbers and the first check value, the variable sequence number can be that card reader is random
Generation, the variable sequence number is the number that the card reader is verified;
In b4) in, the second verification data further include:Second supplement check value, the second supplement check value set for intelligence
Standby unique sequence numbers, the cryptographic Hash of the second check value and one fix the smart machine private key signature of secret key.
9. authentication Online Processing System according to claim 6, which is characterized in that smart machine asks identity copy
The step of include:
D1) identity information of the smart machine based on reading is asked to construct identity copy, to described in service server transmission
Identity copy is asked;
D2) service server asks for an autograph to the identity copy, and is forwarded to certificate server;
D3) after certificate server processing, the response of identity copy is returned to service server, is included in the identity copy response bag
Verify data and a random number, it is preferable that the identity copy response bag, which contains, permits the voucher that card reader reads identity information
With business processing data, business processing data include random number and service numbers;
D4) service server is forwarded to smart machine to identity copy response signature;
D5) smart machine extracts the verification data and random number from the identity copy response, and generation identity copy is downloaded
Request, is sent to the certificate server;
D6) service server asks for an autograph to the identity copy, and is forwarded to certificate server;
D7) after certificate server processing, identity copy is returned to service server;
D8) service server is forwarded to smart machine to identity copy signature, so as to which smart machine obtains identity pair
This.
10. authentication Online Processing System according to claim 6, which is characterized in that further include:Two smart machines
B and smart machine A, smart machine B carry out authentication via smart machine A,
S4-1, smart machine B ask scrip to smart machine A;
S4-2, smart machine A are generated effective voucher based on the identity of smart machine B and are sent to smart machine B, it is preferable that
The identity of smart machine B is Quick Response Code, and the identity information of smart machine B is included in the Quick Response Code;
S4-3, during access, smart machine B sends effective voucher to smart machine A, permits after smart machine A verifications are legal
Access;
S4-4 carries out authentication from smart machine A on behalf of to certificate server.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611024516.5A CN108075894B (en) | 2016-11-17 | 2016-11-17 | Identity authentication online processing method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611024516.5A CN108075894B (en) | 2016-11-17 | 2016-11-17 | Identity authentication online processing method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108075894A true CN108075894A (en) | 2018-05-25 |
CN108075894B CN108075894B (en) | 2023-03-28 |
Family
ID=62160714
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611024516.5A Active CN108075894B (en) | 2016-11-17 | 2016-11-17 | Identity authentication online processing method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108075894B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108876375A (en) * | 2018-06-29 | 2018-11-23 | 全链通有限公司 | Block chain real name participatory approaches and system |
CN109413086A (en) * | 2018-11-16 | 2019-03-01 | 阿里巴巴集团控股有限公司 | Line coker tests the method and device of identity information |
CN110278214A (en) * | 2019-04-02 | 2019-09-24 | 公安部第三研究所 | The method for realizing the distant processing of getting killed of safety for smart chip card |
CN110855664A (en) * | 2019-11-12 | 2020-02-28 | 广州大白互联网科技有限公司 | Network certificate system |
CN110851858A (en) * | 2019-10-16 | 2020-02-28 | 上海源庐加佳信息科技有限公司 | Hotel individual privacy data protection method based on zero-knowledge proof |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102013001A (en) * | 2010-12-06 | 2011-04-13 | 苏州国芯科技有限公司 | Card reader with authentication function and authentication method thereof |
CN104618117A (en) * | 2015-02-04 | 2015-05-13 | 北京云安世纪科技有限公司 | Two-dimension code based smart card device identity authentication device and method |
CN106100850A (en) * | 2016-06-17 | 2016-11-09 | 公安部第三研究所 | Intelligent and safe chip signing messages transmission method based on Quick Response Code and system |
-
2016
- 2016-11-17 CN CN201611024516.5A patent/CN108075894B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102013001A (en) * | 2010-12-06 | 2011-04-13 | 苏州国芯科技有限公司 | Card reader with authentication function and authentication method thereof |
CN104618117A (en) * | 2015-02-04 | 2015-05-13 | 北京云安世纪科技有限公司 | Two-dimension code based smart card device identity authentication device and method |
CN106100850A (en) * | 2016-06-17 | 2016-11-09 | 公安部第三研究所 | Intelligent and safe chip signing messages transmission method based on Quick Response Code and system |
Non-Patent Citations (1)
Title |
---|
国伟 等: "第二代居民身份证微型识别器", 《警察技术》 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108876375A (en) * | 2018-06-29 | 2018-11-23 | 全链通有限公司 | Block chain real name participatory approaches and system |
CN108876375B (en) * | 2018-06-29 | 2020-09-08 | 全链通有限公司 | Block chain real name participation method and system |
CN109413086A (en) * | 2018-11-16 | 2019-03-01 | 阿里巴巴集团控股有限公司 | Line coker tests the method and device of identity information |
CN109413086B (en) * | 2018-11-16 | 2020-11-24 | 创新先进技术有限公司 | Method and device for checking identity information on line |
CN110278214A (en) * | 2019-04-02 | 2019-09-24 | 公安部第三研究所 | The method for realizing the distant processing of getting killed of safety for smart chip card |
CN110278214B (en) * | 2019-04-02 | 2020-05-01 | 公安部第三研究所 | Method for realizing safe remote killing processing aiming at intelligent chip card |
CN110851858A (en) * | 2019-10-16 | 2020-02-28 | 上海源庐加佳信息科技有限公司 | Hotel individual privacy data protection method based on zero-knowledge proof |
CN110851858B (en) * | 2019-10-16 | 2023-09-05 | 上海源庐加佳信息科技有限公司 | Hotel personal privacy data protection method based on zero knowledge proof |
CN110855664A (en) * | 2019-11-12 | 2020-02-28 | 广州大白互联网科技有限公司 | Network certificate system |
Also Published As
Publication number | Publication date |
---|---|
CN108075894B (en) | 2023-03-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109150548B (en) | Digital certificate signing and signature checking method and system and digital certificate system | |
KR101676215B1 (en) | Method for signing electronic documents with an analog-digital signature with additional verification | |
CN108075894A (en) | A kind of authentication on-line processing method and system | |
CN108809659B (en) | Dynamic password generation method, dynamic password verification method, dynamic password system and dynamic password verification system | |
JP5859953B2 (en) | Biometric authentication system, communication terminal device, biometric authentication device, and biometric authentication method | |
CN108833114A (en) | A kind of decentralization identity authorization system and method based on block chain | |
TWI651656B (en) | Multidimensional barcode action identity authentication method, digital certificate device | |
JPWO2003069489A1 (en) | Identification method | |
CN107209821A (en) | For the method and authentication method being digitally signed to e-file | |
CN108989346A (en) | The effective identity trustship agility of third party based on account concealment authenticates access module | |
CN101340285A (en) | Method and system for identity authentication by finger print USBkey | |
WO2015188424A1 (en) | Key storage device and method for using same | |
CN104104657B (en) | Information Authentication method, server, terminal and system | |
WO2019010669A1 (en) | Method, apparatus and system for identity validity verification | |
CN108959883B (en) | Network identity real-name authentication method based on quick response matrix code | |
CN103297237B (en) | Identity registration and authentication method, system, personal authentication apparatus and certificate server | |
CN108512660B (en) | Virtual card verification method | |
CN111817857A (en) | Electronic document signing method based on electronic notarization and SM2 collaborative signature and server adopted by same | |
CN113298476A (en) | Safety consignment method, system, electronic equipment and storage medium | |
JP2006155547A (en) | Individual authentication system, terminal device and server | |
KR102336416B1 (en) | A system and method for logging in to a website through identification of the mobile phone by combining the website ID and password with a mobile phone number and entering the mobile phone number on the website | |
Itakura et al. | Proposal on a multifactor biometric authentication method based on cryptosystem keys containing biometric signatures | |
CN105429986B (en) | A kind of system of genuine cyber identification verifying and secret protection | |
CN203243360U (en) | Identity registration system | |
CN1397869A (en) | Electronic autograph on document |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |